BIND 9 Logging Question

buggabill · 12-11-2006, 08:06 AM

I am running BIND9 on a Debian machine as a local caching server.

Logcheck is returning numerous counts of this:

Dec 11 06:44:36 carmine named[25566]: unexpected RCODE (REFUSED) resolving 'www.specialoffersnetworks.com/A/IN': 209.68.1.15#53

I do not have any forwarding turned on. Is this BIND trying to forward to some other dns server, or is there a machine on the network trying to go to this ip address. IF there is a machine doing it, how can I get the 'offending' machine's ip address?

unSpawn · 12-11-2006, 10:35 AM

Probably pair.com DNS server malarky. What happens if you add the "lame-servers" directive to your named.conf (restart named)?

how can I get the 'offending' machine's ip address?
You could run tcpdump on the DNS server. Say you serve requests on eth2 for clients from subnet 10.144.122.0/24: "tcpdump -w /var/log/tcpdump.pcap -i eth2 -n -nn -v src 10.144.122.0 and port 53". Note this turns on ethernet device promiscuous mode. Also note if you don't like to sniff as root use "-U". BTW, if you want to resolve addresses for localnet purposes and have a persistent cache of resolved addresses you don't need to run Named with all its dependencies: check out Pdnsd.

fur · 12-11-2006, 10:43 AM

To enable bind to log queries, add this to named.conf, and restart it.

Code:

logging {
          channel "querylog" { file "/var/log/bind9-query.log"; print-time yes; };
                    category queries { querylog; };

chort · 12-11-2006, 11:52 AM

Perhaps pair.com is refusing to resolve queries for spam and/or spyware domains? It seems like your TCP (wtf am I smoking? dns doesn't use TCP for short queries) connection may have been rejected for that request, or pair might have patched their DNS servers to allow for specific queries to be refused.

Any way, it looks like a machine on your network is probably infested with spyware and it's trying to resolve "www.specialoffersnetworks.com". When your nameserver does the recursive lookup, the nameserver at PAIR is refusing it. ns3.pair.com is listed as the first nameserver in the whois record for specialoffersnetworks.com. That is 209.68.1.15. I'm getting a SERVFAIL even trying to lookup their SOA record. Iiiinnnnnnnteresting.

unSpawn · 12-11-2006, 03:16 PM

ns3 doesn't appear synced, ns1 does seem to know the domain though.

buggabill · 12-12-2006, 03:30 PM

Wow... I appreciate all the responses. What I have done so far is add the query logging. I will try tcpdump afterwards if I do not get anywhere. I know it has to be some user on our network with some sort of adware on their machine. I am just looking for which one. We do have a couple of habitual offenders...

Again, thanks for all the help!

buggabill · 12-13-2006, 12:31 PM

Found what I was looking for in the logs. Thanks folks!